data/reports: add 4 high-priority reports
- data/reports/GO-2025-3764.yaml
- data/reports/GO-2025-3765.yaml
- data/reports/GO-2025-3770.yaml
- data/reports/GO-2025-3802.yaml
Fixes golang/vulndb#3764
Fixes golang/vulndb#3765
Updates golang/vulndb#3770
Fixes golang/vulndb#3802
Change-Id: I8cf9e138f1720acbc209fa0bf5dcbe723aba5614
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/688355
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
diff --git a/data/osv/GO-2025-3764.json b/data/osv/GO-2025-3764.json
new file mode 100644
index 0000000..881a794
--- /dev/null
+++ b/data/osv/GO-2025-3764.json
@@ -0,0 +1,87 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3764",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-44905",
+ "GHSA-6xp3-p59p-q4fj"
+ ],
+ "summary": "SQL injection vulnerability via the component /types/append_value.go in github.com/go-pg/pg",
+ "details": "SQL injection vulnerability via the component /types/append_value.go in github.com/go-pg/pg",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/go-pg/pg",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/go-pg/pg/v9",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/go-pg/pg/v10",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-6xp3-p59p-q4fj"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/go-pg/pg/blob/30e7053c6cacdd44d06cf2b92183b49188b7c922/types/append_value.go#L151"
+ },
+ {
+ "type": "WEB",
+ "url": "https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn%27t%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdf"
+ },
+ {
+ "type": "WEB",
+ "url": "https://www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flaw"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3764",
+ "review_status": "REVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3765.json b/data/osv/GO-2025-3765.json
new file mode 100644
index 0000000..3c888fc
--- /dev/null
+++ b/data/osv/GO-2025-3765.json
@@ -0,0 +1,57 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3765",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-44906",
+ "GHSA-h4h6-vccr-44h2"
+ ],
+ "summary": "SQL injection vulnerability in github.com/uptrace/bun/driver/pgdriver",
+ "details": "SQL injection vulnerability in github.com/uptrace/bun/driver/pgdriver",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/uptrace/bun/driver/pgdriver",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-h4h6-vccr-44h2"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/uptrace/bun/blob/1573ae7c2fffad1a7f72fd2d205e924b2fd4043b/driver/pgdriver/format.go#L62"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/uptrace/bun/tree/master/driver/pgdriver"
+ },
+ {
+ "type": "WEB",
+ "url": "https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn%27t%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdf"
+ },
+ {
+ "type": "WEB",
+ "url": "https://www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flaw"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3765",
+ "review_status": "REVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3770.json b/data/osv/GO-2025-3770.json
new file mode 100644
index 0000000..e0732d4
--- /dev/null
+++ b/data/osv/GO-2025-3770.json
@@ -0,0 +1,115 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3770",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "GHSA-vrw8-fxc6-2r93"
+ ],
+ "summary": "Host Header Injection which Leads to Open Redirect in RedirectSlashes in github.com/go-chi/chi",
+ "details": "Host Header Injection which Leads to Open Redirect in RedirectSlashes in github.com/go-chi/chi",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/go-chi/chi",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/go-chi/chi/v2",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/go-chi/chi/v3",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/go-chi/chi/v4",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ },
+ {
+ "package": {
+ "name": "github.com/go-chi/chi/v5",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "5.2.2"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/go-chi/chi/security/advisories/GHSA-vrw8-fxc6-2r93"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/go-chi/chi/commit/1be7ad938cc9c5b39a9dea01a5c518848928ab65"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3770",
+ "review_status": "REVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2025-3802.json b/data/osv/GO-2025-3802.json
new file mode 100644
index 0000000..ac23c91
--- /dev/null
+++ b/data/osv/GO-2025-3802.json
@@ -0,0 +1,63 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3802",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2025-53547",
+ "GHSA-557j-xg8c-q2mm"
+ ],
+ "summary": "Helm vulnerable to Code Injection through malicious chart.yaml content in helm.sh/helm",
+ "details": "Helm vulnerable to Code Injection through malicious chart.yaml content in helm.sh/helm",
+ "affected": [
+ {
+ "package": {
+ "name": "helm.sh/helm/v3",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "3.18.4"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "helm.sh/helm/v3/pkg/downloader",
+ "symbols": [
+ "Manager.Build",
+ "Manager.Update",
+ "writeLock"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/helm/helm/security/advisories/GHSA-557j-xg8c-q2mm"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/helm/helm/commit/4b8e61093d8f579f1165cdc6bd4b43fa5455f571"
+ },
+ {
+ "type": "WEB",
+ "url": "https://news.ycombinator.com/item?id=44506696"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3802",
+ "review_status": "REVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2025-3764.yaml b/data/reports/GO-2025-3764.yaml
new file mode 100644
index 0000000..d002576
--- /dev/null
+++ b/data/reports/GO-2025-3764.yaml
@@ -0,0 +1,26 @@
+id: GO-2025-3764
+modules:
+ - module: github.com/go-pg/pg
+ vulnerable_at: 8.0.7
+ - module: github.com/go-pg/pg/v9
+ vulnerable_at: 9.2.1
+ - module: github.com/go-pg/pg/v10
+ vulnerable_at: 10.13.0
+summary: |-
+ SQL injection vulnerability via the component /types/append_value.go in
+ github.com/go-pg/pg
+cves:
+ - CVE-2024-44905
+ghsas:
+ - GHSA-6xp3-p59p-q4fj
+references:
+ - advisory: https://github.com/advisories/GHSA-6xp3-p59p-q4fj
+ - web: https://github.com/go-pg/pg/blob/30e7053c6cacdd44d06cf2b92183b49188b7c922/types/append_value.go#L151
+ - web: https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn%27t%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdf
+ - web: https://www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flaw
+notes:
+ - No known fix commit for any specified version.
+source:
+ id: GHSA-6xp3-p59p-q4fj
+ created: 2025-07-16T11:06:41.876419-04:00
+review_status: REVIEWED
diff --git a/data/reports/GO-2025-3765.yaml b/data/reports/GO-2025-3765.yaml
new file mode 100644
index 0000000..64ec45e
--- /dev/null
+++ b/data/reports/GO-2025-3765.yaml
@@ -0,0 +1,21 @@
+id: GO-2025-3765
+modules:
+ - module: github.com/uptrace/bun/driver/pgdriver
+ vulnerable_at: 1.2.14
+summary: SQL injection vulnerability in github.com/uptrace/bun/driver/pgdriver
+cves:
+ - CVE-2024-44906
+ghsas:
+ - GHSA-h4h6-vccr-44h2
+references:
+ - advisory: https://github.com/advisories/GHSA-h4h6-vccr-44h2
+ - web: https://github.com/uptrace/bun/blob/1573ae7c2fffad1a7f72fd2d205e924b2fd4043b/driver/pgdriver/format.go#L62
+ - web: https://github.com/uptrace/bun/tree/master/driver/pgdriver
+ - web: https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn%27t%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdf
+ - web: https://www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flaw
+notes:
+ - No known fix commit.
+source:
+ id: GHSA-h4h6-vccr-44h2
+ created: 2025-07-16T11:06:35.100738-04:00
+review_status: REVIEWED
diff --git a/data/reports/GO-2025-3770.yaml b/data/reports/GO-2025-3770.yaml
new file mode 100644
index 0000000..85cf8d0
--- /dev/null
+++ b/data/reports/GO-2025-3770.yaml
@@ -0,0 +1,28 @@
+id: GO-2025-3770
+modules:
+ - module: github.com/go-chi/chi
+ vulnerable_at: 1.5.5
+ - module: github.com/go-chi/chi/v2
+ vulnerable_at: 2.1.1
+ - module: github.com/go-chi/chi/v3
+ vulnerable_at: 3.3.5
+ - module: github.com/go-chi/chi/v4
+ vulnerable_at: 4.1.3
+ - module: github.com/go-chi/chi/v5
+ versions:
+ - fixed: 5.2.2
+ vulnerable_at: 5.2.1
+summary: |-
+ Host Header Injection which Leads to Open Redirect in RedirectSlashes
+ in github.com/go-chi/chi
+ghsas:
+ - GHSA-vrw8-fxc6-2r93
+references:
+ - advisory: https://github.com/go-chi/chi/security/advisories/GHSA-vrw8-fxc6-2r93
+ - fix: https://github.com/go-chi/chi/commit/1be7ad938cc9c5b39a9dea01a5c518848928ab65
+notes:
+ - Fix commit exists but no official patched version has been published.
+source:
+ id: GHSA-vrw8-fxc6-2r93
+ created: 2025-07-16T11:06:31.667002-04:00
+review_status: REVIEWED
diff --git a/data/reports/GO-2025-3802.yaml b/data/reports/GO-2025-3802.yaml
new file mode 100644
index 0000000..fd874a0
--- /dev/null
+++ b/data/reports/GO-2025-3802.yaml
@@ -0,0 +1,28 @@
+id: GO-2025-3802
+modules:
+ - module: helm.sh/helm/v3
+ versions:
+ - fixed: 3.18.4
+ vulnerable_at: 3.18.3
+ packages:
+ - package: helm.sh/helm/v3/pkg/downloader
+ symbols:
+ - writeLock
+ derived_symbols:
+ - Manager.Build
+ - Manager.Update
+summary: |-
+ Helm vulnerable to Code Injection through malicious chart.yaml content in
+ helm.sh/helm
+cves:
+ - CVE-2025-53547
+ghsas:
+ - GHSA-557j-xg8c-q2mm
+references:
+ - advisory: https://github.com/helm/helm/security/advisories/GHSA-557j-xg8c-q2mm
+ - web: https://github.com/helm/helm/commit/4b8e61093d8f579f1165cdc6bd4b43fa5455f571
+ - web: https://news.ycombinator.com/item?id=44506696
+source:
+ id: GHSA-557j-xg8c-q2mm
+ created: 2025-07-16T11:06:14.161761-04:00
+review_status: REVIEWED
